Message284408
The tkinter.tix module looks for a Tix installation in the directory specified by the TIX_LIBRARY environment variable, but blindly trusts that it is a path in the filesystem. This enables a shell injection :
TIX_LIBRARY='/dev/null}; exec gsimplecal;' python2 -c "from Tix import Tk; Tk()"
or
TIX_LIBRARY='/dev/null}; exec gsimplecal;' python3 -c "from tkinter.tix import Tk; Tk()"
Python execs gsimplecal, waits on its completion and then raises a tkinter.TclError.
The offending code is here : https://github.com/python/cpython/blob/master/Lib/tkinter/tix.py#L204-L208 |
|
Date |
User |
Action |
Args |
2016-12-31 19:00:30 | symphorien | set | recipients:
+ symphorien |
2016-12-31 19:00:30 | symphorien | set | messageid: <1483210830.52.0.920210756798.issue29125@psf.upfronthosting.co.za> |
2016-12-31 19:00:30 | symphorien | link | issue29125 messages |
2016-12-31 19:00:29 | symphorien | create | |
|